a new rsa based signature scheme
play

A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk - PowerPoint PPT Presentation

Sep 02, 2023 •127 likes •647 views

A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk Horst G ortz Institute for IT-Security Africacrypt 2010 1 / 13 RSA-Based Signature Schemes Na ve RSA signature scheme not secure under the standard definition of

  1. A New RSA-Based Signature Scheme Sven Sch¨ age, J¨ org Schwenk Horst G¨ ortz Institute for IT-Security Africacrypt 2010 1 / 13

  2. RSA-Based Signature Schemes Na¨ ıve RSA signature scheme not secure under the standard definition of security – adaptive chosen message attacks [GMR99]. 2 / 13

  3. RSA-Based Signature Schemes Na¨ ıve RSA signature scheme not secure under the standard definition of security – adaptive chosen message attacks [GMR99]. RSA assumption is weaker than popular Strong RSA (SRSA) assumption. In contrast to SRSA: adversary is not allowed to choose from an exponentially large set of solutions. 2 / 13

  4. RSA-Based Signature Schemes Na¨ ıve RSA signature scheme not secure under the standard definition of security – adaptive chosen message attacks [GMR99]. RSA assumption is weaker than popular Strong RSA (SRSA) assumption. In contrast to SRSA: adversary is not allowed to choose from an exponentially large set of solutions. Only recently, in CRYPTO’09, Hohenberger and Waters (HW) presented the first hash-and-sign signature scheme that is solely secure under the RSA assumption. 2 / 13

  5. RSA-Based Signature Schemes Na¨ ıve RSA signature scheme not secure under the standard definition of security – adaptive chosen message attacks [GMR99]. RSA assumption is weaker than popular Strong RSA (SRSA) assumption. In contrast to SRSA: adversary is not allowed to choose from an exponentially large set of solutions. Only recently, in CRYPTO’09, Hohenberger and Waters (HW) presented the first hash-and-sign signature scheme that is solely secure under the RSA assumption. In this work: alternative RSA-based signature scheme with additional properties that are useful in privacy preserving systems. 2 / 13

  6. Observations A single HW signature can be interpreted as a combination of several Gennaro-Halevi-Rabin signatures. (Observation 1) 3 / 13

  7. Observations A single HW signature can be interpreted as a combination of several Gennaro-Halevi-Rabin signatures. (Observation 1) The SRSA-based Camenisch-Lysyanskaya (CL) scheme has proven very useful in many privacy preserving systems. Popular examples: Direct Anonymous Attestation (DAA), compact E-Cash. (Observation 2) 3 / 13

  8. Observations A single HW signature can be interpreted as a combination of several Gennaro-Halevi-Rabin signatures. (Observation 1) The SRSA-based Camenisch-Lysyanskaya (CL) scheme has proven very useful in many privacy preserving systems. Popular examples: Direct Anonymous Attestation (DAA), compact E-Cash. (Observation 2) Three useful properties of CL scheme: 3 / 13

  9. Observations A single HW signature can be interpreted as a combination of several Gennaro-Halevi-Rabin signatures. (Observation 1) The SRSA-based Camenisch-Lysyanskaya (CL) scheme has proven very useful in many privacy preserving systems. Popular examples: Direct Anonymous Attestation (DAA), compact E-Cash. (Observation 2) Three useful properties of CL scheme: Signature scheme supports signing several message blocks. 1 3 / 13

  10. Observations A single HW signature can be interpreted as a combination of several Gennaro-Halevi-Rabin signatures. (Observation 1) The SRSA-based Camenisch-Lysyanskaya (CL) scheme has proven very useful in many privacy preserving systems. Popular examples: Direct Anonymous Attestation (DAA), compact E-Cash. (Observation 2) Three useful properties of CL scheme: Signature scheme supports signing several message blocks. 1 There exist efficient (NIZK) protocols (in the ROM) to sign 2 commited values. 3 / 13

  11. Observations A single HW signature can be interpreted as a combination of several Gennaro-Halevi-Rabin signatures. (Observation 1) The SRSA-based Camenisch-Lysyanskaya (CL) scheme has proven very useful in many privacy preserving systems. Popular examples: Direct Anonymous Attestation (DAA), compact E-Cash. (Observation 2) Three useful properties of CL scheme: Signature scheme supports signing several message blocks. 1 There exist efficient (NIZK) protocols (in the ROM) to sign 2 commited values. There exist efficient (NIZK) protocols (in the ROM) for proving 3 knowledge of a signature without revealing it. 3 / 13

  12. Idea and Construction Idea: Combine Observation 1 & Observation 2 4 / 13

  13. Idea and Construction Idea: Combine Observation 1 & Observation 2 Construct signatures that can be interpreted as the combination of several CL signatures. Perhaps the decisive properties of the CL scheme can still be found in the new construction! 4 / 13

  14. Idea and Construction Idea: Combine Observation 1 & Observation 2 Construct signatures that can be interpreted as the combination of several CL signatures. Perhaps the decisive properties of the CL scheme can still be found in the new construction! Technique: 4 / 13

  15. Idea and Construction Idea: Combine Observation 1 & Observation 2 Construct signatures that can be interpreted as the combination of several CL signatures. Perhaps the decisive properties of the CL scheme can still be found in the new construction! Technique: Starting point CL scheme: CL proof considers three types of forgery. 4 / 13

  16. Idea and Construction Idea: Combine Observation 1 & Observation 2 Construct signatures that can be interpreted as the combination of several CL signatures. Perhaps the decisive properties of the CL scheme can still be found in the new construction! Technique: Starting point CL scheme: CL proof considers three types of forgery. Key observation: two of these forgeries already reduce security to the RSA assumption. 4 / 13

  17. Idea and Construction Idea: Combine Observation 1 & Observation 2 Construct signatures that can be interpreted as the combination of several CL signatures. Perhaps the decisive properties of the CL scheme can still be found in the new construction! Technique: Starting point CL scheme: CL proof considers three types of forgery. Key observation: two of these forgeries already reduce security to the RSA assumption. Remaining type of forgery can be dealt with using the new proving techniques of HW. 4 / 13

  18. Idea and Construction Idea: Combine Observation 1 & Observation 2 Construct signatures that can be interpreted as the combination of several CL signatures. Perhaps the decisive properties of the CL scheme can still be found in the new construction! Technique: Starting point CL scheme: CL proof considers three types of forgery. Key observation: two of these forgeries already reduce security to the RSA assumption. Remaining type of forgery can be dealt with using the new proving techniques of HW. In particular: integrate that for a string X all prefixes of X are processed as well. 4 / 13

  19. Idea and Construction Idea: Combine Observation 1 & Observation 2 Construct signatures that can be interpreted as the combination of several CL signatures. Perhaps the decisive properties of the CL scheme can still be found in the new construction! Technique: Starting point CL scheme: CL proof considers three types of forgery. Key observation: two of these forgeries already reduce security to the RSA assumption. Remaining type of forgery can be dealt with using the new proving techniques of HW. In particular: integrate that for a string X all prefixes of X are processed as well. Modified scheme still allows to reduce the first two forgeries to the RSA assumption (although the proof is slightly more complicated). 4 / 13

  20. Contribution: New Signature Scheme with Useful Properties for Anonymity Preserving Systems Advantages Disadvantages 5 / 13

  21. Contribution: New Signature Scheme with Useful Properties for Anonymity Preserving Systems Advantages New scheme supports signing several message blocks Disadvantages 5 / 13

  22. Contribution: New Signature Scheme with Useful Properties for Anonymity Preserving Systems Advantages New scheme supports signing several message blocks New scheme allows to sign commited values Disadvantages 5 / 13

  23. Contribution: New Signature Scheme with Useful Properties for Anonymity Preserving Systems Advantages New scheme supports signing several message blocks New scheme allows to sign commited values Proof technique can be transferred to Cramer-Shoup, Fischlin and Zhou signature scheme ⇒ Several new RSA-based signature schemes! Disadvantages 5 / 13

  24. Contribution: New Signature Scheme with Useful Properties for Anonymity Preserving Systems Advantages New scheme supports signing several message blocks New scheme allows to sign commited values Proof technique can be transferred to Cramer-Shoup, Fischlin and Zhou signature scheme ⇒ Several new RSA-based signature schemes! Disadvantages Signatures are larger than in HW (by just a single exponent) 5 / 13

  25. Contribution: New Signature Scheme with Useful Properties for Anonymity Preserving Systems Advantages New scheme supports signing several message blocks New scheme allows to sign commited values Proof technique can be transferred to Cramer-Shoup, Fischlin and Zhou signature scheme ⇒ Several new RSA-based signature schemes! Disadvantages Signatures are larger than in HW (by just a single exponent) Signature generation and verification take more time 5 / 13

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software

Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software

The signature The countermeasure and its proof Performances Future work Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software Institute) Sonia Belad (CryptoExperts) Thomas Espitau (UPMC) Pierre-Alain

1.04k views • 51 slides
Oblivious Signature-Based Envelope scheme (OSBE) Presented By: Khaled Rabieh Supervisor: Dr.

Oblivious Signature-Based Envelope scheme (OSBE) Presented By: Khaled Rabieh Supervisor: Dr.

Oblivious Signature-Based Envelope scheme (OSBE) Presented By: Khaled Rabieh Supervisor: Dr. Mohamed Mahmoud Outline - What is Oblivious Signature-Based Envelope (OSBE)? - Applications - cryptosystem - Analysis 2 Problem Formulation -

339 views • 14 slides
Lattice-Based Signature Scheme with Verifier Local Revocation Adeline Langlois 1 San Ling 2 Khoa

Lattice-Based Signature Scheme with Verifier Local Revocation Adeline Langlois 1 San Ling 2 Khoa

Lattice-Based Signature Scheme with Verifier Local Revocation Adeline Langlois 1 San Ling 2 Khoa Nguyen 2 Huaxiong Wang 2 1 LIP, ENS de Lyon, France 2 Nanyang Technological University, Singapore March 27, 2014 PKC 2014 Group Signature with VLR

257 views • 23 slides
Parallel-CFS Strengthening the CFS McEliece-Based Signature Scheme Matthieu Finiasz Digital

Parallel-CFS Strengthening the CFS McEliece-Based Signature Scheme Matthieu Finiasz Digital

Parallel-CFS Strengthening the CFS McEliece-Based Signature Scheme Matthieu Finiasz Digital Signatures The hash and sign paradigm m c slide 1/18 . Any public key encryption can be turned into a signature. Digital Signatures The hash and

759 views • 28 slides
How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz

How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz

How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz Nicolas Sendrier ASIACRYPT 2001 Brisbane McEliece in a nutshell (Niederreiter version) This scheme is equivalent to the original McEliece

432 views • 12 slides
CRYSTALS-Dilithium: A Lattice-Based Digital Signature Scheme L eo Ducas (CWI), Eike Kiltz

CRYSTALS-Dilithium: A Lattice-Based Digital Signature Scheme L eo Ducas (CWI), Eike Kiltz

CRYSTALS-Dilithium: A Lattice-Based Digital Signature Scheme L eo Ducas (CWI), Eike Kiltz (Ruhr-Universit at Bochum), Tancr` ede Lepoint (SRI International), Vadim Lyubashevsky (IBM Research), Peter Schwabe (Radboud University), Gregor

1.06k views • 36 slides
Improvement and Efficient Implementation of a Lattice-based Signature scheme Rachid El

Improvement and Efficient Implementation of a Lattice-based Signature scheme Rachid El

Improvement and Efficient Implementation of a Lattice-based Signature scheme Rachid El Bansarkhani, Johannes Buchmann Technische Universit at Darmstadt TU Darmstadt August 2013 Rachid El Bansarkhani Lattice-based Signatures1 Outline

633 views • 44 slides
Practical Attacks on the Walnut Signature Scheme Ward Beullens Simon R. Blackburn KU Leuven

Practical Attacks on the Walnut Signature Scheme Ward Beullens Simon R. Blackburn KU Leuven

Practical Attacks on the Walnut Signature Scheme Ward Beullens Simon R. Blackburn KU Leuven Royal Holloway December 2, 2018 Introduction 1/22 WalnutDSA is a Signature Scheme submitted to the NIST PQC project. Small signatures and keys

643 views • 27 slides
Learning Strikes Again: the Case of the DRS Signature Scheme Yang Yu 1 eo Ducas 2 L 1 Tsinghua

Learning Strikes Again: the Case of the DRS Signature Scheme Yang Yu 1 eo Ducas 2 L 1 Tsinghua

Learning Strikes Again: the Case of the DRS Signature Scheme Yang Yu 1 eo Ducas 2 L 1 Tsinghua University 2 Centrum Wiskunde & Informatica January 2019, London 1 / 42 This is a cryptanalysis work... Target: DRS a NIST lattice-based

1.32k views • 108 slides
Outline ElGamal Signature Scheme 1 CPSC 418/MATH 318 Introduction to Cryptography El Gamal

Outline ElGamal Signature Scheme 1 CPSC 418/MATH 318 Introduction to Cryptography El Gamal

Outline ElGamal Signature Scheme 1 CPSC 418/MATH 318 Introduction to Cryptography El Gamal Signature Scheme, Cryptography in Practice: Random Number Odds and Ends on Public Key Crypto 2 Generation, Key Management Cryptography in Real Life 3

367 views • 14 slides
Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse) Detection Intrusion Detection Host-based Network-based Boriana Ditcheva and Lisa Fowler Active/Passive University of North Carolina at

401 views • 12 slides
Digital Signature Schemes 1 What is digital signature? Properties Who signed what is

Digital Signature Schemes 1 What is digital signature? Properties Who signed what is

Digital Signature Schemes 1 What is digital signature? Properties Who signed what is publicly verifiable Unforgeable 2 A Digital Signature Scheme Key generation algorithm G (probabilistic) ( pk, sk ) G (1 ) security

602 views • 22 slides
New variant of the UOV signa- ture scheme with smaller public keys Ward Beullens KULeuven -

New variant of the UOV signa- ture scheme with smaller public keys Ward Beullens KULeuven -

New variant of the UOV signa- ture scheme with smaller public keys Ward Beullens KULeuven - ESAT 26 June 2017 The UOV signature scheme 2/6 The Unbalanced Oil and Vinegar (UOV) signature scheme has withstood attacks since its formulation in

476 views • 6 slides
Digital Signatures Model A public key analog of MAC A digital signature scheme includes

Digital Signatures Model A public key analog of MAC A digital signature scheme includes

Digital Signatures Model A public key analog of MAC A digital signature scheme includes the following elements: A private key k A public key k A signature algorithm Public key is published Signature requires

475 views • 24 slides
Week 07 Lectures Signature-based Selection Indexing with Signatures 2/103 Signature-based

Week 07 Lectures Signature-based Selection Indexing with Signatures 2/103 Signature-based

Week 07 Lectures Signature-based Selection Indexing with Signatures 2/103 Signature-based indexing: designed for pmr queries (conjunction of equalities) does not try to achieve better than O(n) performance attempts to provide an

859 views • 27 slides
Hash-based Signatures IETF/IRTF CFRG Draft on XMSS Fraunhofer Workshop Series 01 Post-Quantum

Hash-based Signatures IETF/IRTF CFRG Draft on XMSS Fraunhofer Workshop Series 01 Post-Quantum

Hash-based Signatures IETF/IRTF CFRG Draft on XMSS Fraunhofer Workshop Series 01 Post-Quantum Cryptography in Practice Speaker: Dr. Bernhard Jungk 1 eXtended Merkle Signature Scheme 2 eXtended Merkle Signature Scheme Why should we look

949 views • 39 slides
"A proof is whatever convinces me.", Shimon Even. G ROTH -S AHAI P ROOFS R EVISITED 1 /

"A proof is whatever convinces me.", Shimon Even. G ROTH -S AHAI P ROOFS R EVISITED 1 /

N ON -I NTERACTIVE P ROOF S YSTEMS G ROTH -S AHAI P ROOFS C ORRECTED G ROTH -S AHAI NIWI P ROOFS G ROTH -S AHAI P ROOFS IN T YP G ROTH -S AHAI P ROOFS R EVISITED E. Ghadafi N.P. Smart B. Warinschi Department of Computer Science, University of

613 views • 29 slides
Security and Privacy of Blockchain Protocols and Applications Sergei Tikhomirov

Security and Privacy of Blockchain Protocols and Applications Sergei Tikhomirov

Security and Privacy of Blockchain Protocols and Applications Sergei Tikhomirov Esch-sur-Alzette, Luxembourg, 17 September 2020 Part 1 Introduction Problems with government-controlled money Unpredictable issuance Censorship and

763 views • 51 slides
X RIPEMD-160 SHA-256 SHA-512 This is an input to a crypto- SHA-3 graphic hash function. The

X RIPEMD-160 SHA-256 SHA-512 This is an input to a crypto- SHA-3 graphic hash function. The

17 December 2019 Bart Preneel Blcokchain and Distributed Consensus: Hype or Science? Blockchain and Distributed Outline Consensus: A short history lesson Hype or Science? Highlights of Bitcoin Design - crypto problems PROF. DR. IR. BART

772 views • 19 slides
Is Bitcoin a suitable research topic? Digital Conference Seminar Clermont-Ferrand, France

Is Bitcoin a suitable research topic? Digital Conference Seminar Clermont-Ferrand, France

Is Bitcoin a suitable research topic? Digital Conference Seminar Clermont-Ferrand, France November 13th, 2014 Jordi Herrera-Joancomart jordi.herrera@uab.cat Universitat Aut` onoma de Barcelona Introduction Bitcoin description

972 views • 49 slides
22:010:622 Internet Technology and E-Business Dr. Peter R. Gillett Associate Professor

22:010:622 Internet Technology and E-Business Dr. Peter R. Gillett Associate Professor

22:010:622 Internet Technology and E-Business Dr. Peter R. Gillett Associate Professor Department of Accounting & Information Systems Rutgers Business School Newark & New Brunswick Dr. Peter R Gillett March 26, 2003 1 Overview

773 views • 45 slides
Computer Security HKUST, Hong Kong Computer Security Cunsheng DING, HKUST COMP4631

Computer Security HKUST, Hong Kong Computer Security Cunsheng DING, HKUST COMP4631

CUNSHENG DING Computer Security HKUST, Hong Kong Computer Security Cunsheng DING, HKUST COMP4631 CUNSHENG DING Computer Security HKUST, Hong Kong Lecture 05: Introduction to Cryptography Outline of this Lecture A brief

446 views • 16 slides
Privacy by Design A technical perspective Carmela Troncoso Gradiant The usual privacy

Privacy by Design A technical perspective Carmela Troncoso Gradiant The usual privacy

PR eparing I ndustry to P rivacy-by-design by supporting its A pplication in RE search Privacy by Design A technical perspective Carmela Troncoso Gradiant The usual privacy scenario Protect personal data from third parties Data

359 views • 9 slides
Introduction to Course Helger Lipmaa Institute of Computer Science University of Tartu

Introduction to Course Helger Lipmaa Institute of Computer Science University of Tartu

MTAT.07.005 Cryptographic Protocols Introduction to Course Helger Lipmaa Institute of Computer Science University of Tartu http://www.cs.ut.ee/lipmaa T-79.159 Cryptography and Data Security, 14.02.2005 Introduction to Course, Helger Lipmaa

665 views • 8 slides

More recommend